Social engineering attacks cover a wide range of activities. Phishing, for instance, is a social engineering attack (SEA). The victim receives a legitimate-looking e-mail, follows a link to a legitimate-looking website they’re familiar with, and often divulges sensitive information to a malicious third party. As end users are made aware of such activities, the attacks generally must become more sophisticated in order to remain effective. Recently, attacks of this nature have become narrowly targeted at specific companies, often mimicking internal system logins and targeting only individuals working at the subject company. It’s an electronic numbers game conducted from afar, and the reason it is so common is that it works!
At the heart of every SEA is a human emotion, without which the attacks will not work. Emotion is what derails security policy and practices, by leading the human user to make an exception to the rules for what they believe is a good reason. Commonly exploited simple emotions, and an example of how each is exploited, include:
• Greed A promise you’ll get something very valuable if you do this one thing
• Lust An offer to look at a sexy picture you just have to see
• Empathy An appeal for help from someone impersonating someone younknow
• Curiosity Notice of something you just have to know, read, or see
• Vanity Isn’t this a great picture of you?
These emotions are frequently used to get a computer user to perform a seemingly innocuous action, such as logging into an online account or following an Internet URL from an e-mail or instant messaging client. The actual action is one of installing malicious software on their computer or divulging sensitive information.
Of course, there are more complex emotions exploited by more sophisticated social engineers. While sending someone an instant message with a link that says “I love this photo of you” is a straightforward appeal to their vanity, getting a secretary to fax you an internal contact list or a tech support agent to reset a password for you is quite a different matter. Attacks of this nature generally attempt to exploit more complex aspects of human behavior, such as
• A desire to be helpful “If you’re not busy, would you please copy this file from this CD to this USB flash drive for me?” Most of us are taught from an early age to be friendly and helpful. We take this attitude with us to the workplace.
• Authority/conflict avoidance “If you don’t let me use the conference room to e-mail this report to Mr. Smith, it’ll cost the company a lot of money and you your job.” If the social engineer looks authoritative and unapproachable, the target usually takes the easy way out by doing what’s asked of them and avoiding a conflict.
• Social proof “Hey look, my company has a Facebook group and a lot of people I know have joined.” If others are doing it, people feel more comfortable doing something they wouldn’t normally do alone.
No matter what emotional button the attacker is attempting to push, the premise is always the same: the intended victim will not sense the risk of their action or guess the real intentions of the attacker until it’s too late or, in many cases, not at all. Because the intended victims in these cases most often are working on computers inside of the target company network, getting them to run a remote access program or otherwise grant you remote access directly or indirectly can be the fast track to obtaining targeted sensitive data during a penetration test.